Talos Vulnerability Report

TALOS-2017-0292

AntennaHouse DMC HTMLFilter AddSst Code Execution Vulnerability

May 4, 2017

CVE Number

CVE-2017-2799

Summary

An exploitable heap corruption vulnerability exists in the AddSst functionality of AntennaHouse DMC HTMLFilter as used by MarkLogioc 8.0-6. A specially crafted XLS file can cause a heap corruption resulting in arbitrary code execution.
An attacker can send/provide a malicious XLS file to trigger this vulnerability.

Product URLs

CVSSv3 Score

Details

This vulnerability is present in the AntennaHouse DMC HTMLFilter which is used, among others, to convert XLS files to (X)HTML form.

This product is mainly used by MarkLogic for office document conversions as part of their web based document search and rendering engine.
A specially crafted XLS file can lead to heap corruption and ultimately to remote code execution.

The heap overflow occurs in the AddSst function triggered by the memcpy, where the buffer related with this overflow is allocated in the same function.
The pseudo-code of the most important part of this function looks as follows:

At line 4 the value for v4 is read directly from the file and later used for the allocation at line 6. The memcpy which causes the overflow is located at line 19. The problem occurs because
the loop condition for the while loop at line 13 is wrong:

flag & 1 && n + index > a1->length

This leads to a situation where bigger index is subtracted from a smaller a1->length value at line 17. This results in an integer underflow and the resulting value is then stored in v11 and is used as a size argument in the memcpy
at line 19. As a result the memcpy is attempting to copy a huge amount of data:

The values come from the following locations in the file:
a1->length - is the Length of an SST record located at 0x948.
flag is coming from wrongly interpreted BoundSheet record located at 0x92E. Exactly one byte from the SheetName field which is "Sheet1" and its first letter "e" is interpreted as a flag.
v4 is also coming from the aforrmentioned BoundSheet record. Its WORD size value also comes from SheetName string and is equal : 0x6853 ('Sh').